A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
1. a look into the sanitizer family
by Akul Pillai
2. >_ whoami
● Akul Pillai (Twitter: @akulpillai)
● 2nd year CSE BTech Student @ Amrita School of
Engineering, Amritapuri
● aka k4iz3n, CTF Player @teambi0s
● Reverse Engineering and Binary Exploitation
● Organizing team @ InCTF and InCTFj
3. >_ Agenda
● What are Sanitizers?
○ Overview
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)
4. >_ What are Sanitizers?
● A family of dynamic testing tools available in Clang, GCC
and Xcode that allows you to perform runtime analysis on
your code.
● Detects bugs such as
○ buffer overflows
○ signed integer overflows
○ uninitialized memory reads
○ data races, etc
● An amazing fuzzer aid
6. >_ Characteristics of Sanitizers
● Compiler Instrumented
○ The compiler adds checks inlined into the generated code
● Checks are performed dynamically during runtime
● A detailed report is created and outputted
Meaning only bugs that are encountered during execution
are reported.
7. >_ Agenda
● What are Sanitizers?
○ Types
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)
8. >_ Address Sanitizer (ASan)
● Open source tool developed by Google.
● Is a fast memory corruption bug detector
● ASan can detect:
○ Use after free (dangling pointer dereference)
○ Heap buffer overflow
○ Stack buffer overflow
○ Global buffer overflow
○ Use after return
○ Use after scope
9. >_ ASan - Usage
Ships with the following compilers, and can be enabled using
the following flags:
○ GCC & Clang: -fsanitize=address
○ Xcode : Runtime Sanitization > Enable Address Sanitizer
10. >_ ASan - Working
*address = ...; // or: ... = *address;
if (IsPoisoned(address)) {
ReportError(address, kAccessSize, kIsWrite);
}
*address = ...; // or: ... = *address;
after instrumentation:
11. >_ ASan - Memory Mapping
● Uses memory mapping in a way to optimize performance
● The virtual address space is divided into 2 disjoint
classes:
○ Main application memory (Mem): this memory is used by the regular
application code.
○ Shadow memory (Shadow): This memory contains the shadow values (or
metadata).
12. >_ ASan - Memory Mapping
0
7
6
5
4
3
2
1
-1
addressable
unaddressable/poisoned
shadow
8 bytes of main memory is
mapped to 1 byte of shadow
memory
13. >_ ASan - Instrumentation
shadow_address = MemToShadow(address);
if (ShadowIsPoisoned(shadow_address)) {
ReportError(address, kAccessSize, kIsWrite);
}
if (IsPoisoned(address)) {
ReportError(address, kAccessSize, kIsWrite);
}
*address = ...; // or: ... = *address;
using shadow memory:
20. >_ Agenda
● What are Sanitizers?
○ Types
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)
21. >_ Undefined Behaviour Sanitizer (UBSan)
● Undefined Behavior describes the result of any operation
with unspecified semantics, such as
○ dividing by zero
○ loading memory from a misaligned pointer
○ dereferencing a null pointer.
● UBSan detects:
○ out-of-bounds access of arrays
○ integer overflow
○ out-of-range casts to, from, or between floating-point types and
other types.
22. >_ UBSan - Usage
Ships with the following compilers, and can be enabled using
the following flags:
○ GCC & Clang: -fsanitize=undefined
○ Xcode : Runtime Sanitization > Enable Undefined Behaviour
Sanitizer